File Permissions

A Tutorial



Craig M. Buchek

St. Louis UNIX Users Group

May 12, 2004


"To promote the progress of science and useful arts, by securing for limited times to

authors and inventors the exclusive right to their respective writings and discoveries"

                                -- US Constitution, Article 1, Section 8

Intro

  • UNIX is a multi-user platform
    • Multiple users have access to system resources
    • Even single-user UNIX/Linux systems have multiple processes running
  • For security reasons, we want to restrict file access
    • Users (and processes) should only be able to access what they need
  • Each file and directory has permissions
    • Defines which users have access to do various functions

File Ownership

  • Every file is "owned" by a single user
    • User who creates the file is the initial owner
    • Owner decides who can do what with the file, by setting permissions
    • Disk quota usage (if enabled) is charged to owner
  • Every file has a group associated with it
    • User can be member of multiple groups
      • Primary group listed in /etc/passwd
      • Other groups listed in /etc/group
    • Default group of a new file is (usually) the user's primary group

  • -rwxrwxr-x 2 booch users 4096 May 11 14:45 file

Changing the Owner (chown)

  • Only root can change the owner in most UNIX variants
    • Otherwise, you could "give" a file to someone to avoid quota limits
  • The file owner can change the group of a file
    • But must be a member of the group he is changing it to
    • Changing group is helpful in allowing some users access

  • chown username filename
  • chgrp groupname filename
  • chown username:groupname filename
  • chown username.groupname filename
  • chown -R username dirname

File Protection Modes

  • UGO - User, Group, Other
    • Always listed in this order
    • The first that matches is the one that pertains
      • Permissions are not cumulative
  • RWX - Read, Write, Execute
  • Directories
    • R allows listing of the directory
    • W allows creating, deleting, and renaming files in the directory
    • X allows access to files in the directory
      • You have to know the name if you don't have list (R) access

Setting File Protections (chmod)

  • chmod permissions filename
  • Set exact permissions:
    • chmod u=rwx,g=rw,o= filename
  • Add or remove permissions:
    • chmod ugo+r filename
    • chmod a-w filename
    • chmod o+X filename
      • (Add X for Other if file already has an X set somewhere else)
  • Set the permissions for one class the same as another
    • chmod g=u filename
  • Octal
    • chmod 640 filename

Octal Representation of Protection Bits

  • R=4, W=2, X=1
  • Add the R+W+X for each of U, G, O
  • Examples
    • 644: u=rw,g=r,o=r
    • 755: u=rwx,g=rx,o=rx
    • 640: u=rw,g=r,o=

SUID, SGID, and Sticky Bit

  • Programs with SUID (4000) set
    • Process runs as the owner of the program
    • chmod ugo+x,u+s filename
  • Programs with SGID (2000) set
    • Process runs with the group of the program
    • chmod ugo+x,g+s filename
  • Directories with SGID (2000) set
    • Default group of new files is the group of the directory
  • Directories with the sticky bit (1000) set
    • Users can only delete or rename files that they own
    • Otherwise the W bit on a directory allows create, delete, and rename
    • Should be set on shared temporary directories
    • chmod +t dirname

Extended Attributes

  • ACLs - Access Control Lists
    • More fine-grained: lists of multiple users/groups in addition to UGO
    • UGO permissions still apply
    • Still uses RWX
    • Many UNIX variants have support
    • getfacl / setfacl
  • Linux lsattr / chattr
    • a - append-only (good for log files)
    • i - immutable (even root can't modify)

Presentation Info